address
Click on the red underlined text to get to the source
...
1. The IPv4 source address of the encapsulating ("outer") packet can
be spoofed.
...
... ingress filtering. [RFC4213] specifies the following strict
address checks as mitigating measures:
o To mitigate threat (1), the decapsulator ...
... decapsulator verifies that the IPv4
source address of the packet is the same as the address of the
configured tunnel ...
... IPv4
source address of the packet is the same as the address of the
configured tunnel endpoint ...
... o To mitigate threat (2), the decapsulator verifies whether the
inner IPv6 address is a valid IPv6 address and also applies IPv6 ...
... transport mode
does not verify the contents of the payload itself where the IPv6
addresses are carried. That is, two nodes using IPsec transport mode ...
... endpoint.
The outer IPv4 addresses may be spoofed, and IPsec cannot detect this
in tunnel mode ...
... tunnel mode; the packets will be demultiplexed based on the SPI
and possibly the IPv6 address bound to the SA. Thus, the outer
address ...
... IPv6 address bound to the SA. Thus, the outer
address spoofing is irrelevant as long as the decryption succeeds and
...
... IPv6 packet takes.
The source and destination addresses of the IPv6 packets traversing
the tunnel ...
... IPv6 prefixes, so binding
IPv6 addresses to be used to the SA is not generally feasible. IPv6
...
... The hosts in the site originate the packets with IPv6 source
addresses coming from a well-known prefix, whereas the destination
addresses ...
... source
addresses coming from a well-known prefix, whereas the destination
addresses could be any nodes on the Internet.
...
... router at Site B, and Router A could verify
that the source address of the packet matches the prefix. Site B
will not be able to do a similar verification ...
...
In this case, the source and the destination IPv6 addresses are known
a priori. A tunnel mode SA could be bound to these specific
...
... a priori. A tunnel mode SA could be bound to these specific
addresses. Address verification prevents IPv6 ...
... tunnel mode SA could be bound to these specific
addresses. Address verification prevents IPv6 source address ...
...
2. IKEv2 supports dynamic address configuration, which may be used
to configure the IPv6 address of the host ...
... IKEv2 supports dynamic address configuration, which may be used
to configure the IPv6 address of the host.
...
... 2. In router-to-router tunnels, the source and destination addresses
of the traffic could come from a wide range ...
... RFC3884]. This mainly affects scenario (1).
3. Source address selection depends on the notions of routes and
interfaces. This implies that the reachability ...
... The third requirement is also problematic, because almost all
implementations assume addresses are assigned on interfaces (rather
than configured in SPDs ...
... interfaces (rather
than configured in SPDs) for proper source address selection.
If the IPsec tunnel mode ...
... routers, Router1
and Router2, with tunnel endpoint IPv4 addresses denoted IPV4-TEP1
and IPV4 ...
... Identity of the peer asserted in the IKEv2 exchange: Many
different types of identities can be used. At least, the IPv4
address of the peer should be supported.
o IKEv2 ...
...
o The child SA authorization data should contain the IPv4 address of
the peer.
...
... applied to a tunnel interface. Source address spoofing can be
limited by enabling ingress filtering ...
... tunnel interface as the IPsec policy checks do not check the IPv6
addresses at all. Routing protocols, multicast, etc. will work
...
... interface for all IPsec traffic), there is no Duplicate
Address Detection (DAD), Multicast Listener Discovery (MLD ...
... SPD entries assume that there are two hosts, Host1 and
Host2, whose IPv6 addresses are denoted IPV6-EP1 and IPV6-EP2 (global
...
... IPV6-EP1 and IPV6-EP2 (global
addresses), and the IPV4 addresses of the tunnel endpoints are
...
... IPV6-EP2 (global
addresses), and the IPV4 addresses of the tunnel endpoints are
denoted IPV4 ...
... The following SPD entries assume that the host has the IPv6 address
IPV6-EP1 and the tunnel endpoints ...
... SUBNET as their phase 2
identities. The starting address is zero and the end address is all
ones for ID_IPV6 ...
... identities. The starting address is zero and the end address is all
ones for ID_IPV6_ADDR_RANGE ...
... RANGE. The starting address is zero IP address
and the end address is all zeroes for ID_IPV6 ...
... B.1. Dynamic Address Configuration ...
... host in the host-to-router
scenario to obtain an IPv6 address from the ISP as part of setting up
...
...
2. Using NAT traversal allows the outer address to change without
having to renegotiate the SAs. This could be beneficial for a
...
... crude form of mobility and in scenarios where the NAT changes the
IP addresses frequently. However, as the outer address may
change, this might introduce new security issues ...
... NAT changes the
IP addresses frequently. However, as the outer address may
change, this might introduce new security issues, and using
...
... In particular, using manually configured tunneling is an operational
challenge with dynamic IP addresses, because both ends need to be
reconfigured if an address changes. Therefore, an easy and efficient
...
... challenge with dynamic IP addresses, because both ends need to be
reconfigured if an address changes. Therefore, an easy and efficient
way to re-establish the IPsec tunnel ...
... way to re-establish the IPsec tunnel if the IP address changes would
be desirable. MOBIKE [RFC4555 ...
...
o Using a pre-configured or pre-determined IPv4 anycast address.
o Using other, unspecified or proprietary methods ...
... methods.
For the purpose of this document, it is assumed that this address can
be obtained somehow. Once the address has been learned, it is
...
... For the purpose of this document, it is assumed that this address can
be obtained somehow. Once the address has been learned, it is
configured as the tunnel endpoint for the configured IPv6-in-IPv4 ...
... endpoint discovery provides benefit only if PAD information
is chosen in such a manner that it is not IP-address specific.
...
... Authors' Addresses ...
... copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
...